The Ghost (Cring) ransomware is a critical cybersecurity threat primarily targeting organizations with vulnerable systems, including healthcare, finance, government, and education sectors. This ransomware employs sophisticated techniques such as exploiting vulnerabilities, lateral movement, and advanced evasion methods to encrypt sensitive data and demand ransom payments. Affected: healthcare, financial services, government, critical infrastructure, manufacturing, education, professional services, retail, e-commerce
Keypoints :
- Ghost (Cring) ransomware has been active since at least 2021, targeting vulnerable internet-facing systems.
- Targets include healthcare, financial services, government, manufacturing, education, and retail sectors.
- Initial access is gained by exploiting vulnerabilities, such as FortiOS CVE-2018-13379.
- Ghost employs techniques like lateral movement, privilege escalation, and deployment of ransomware payloads.
- Encryption of data is conducted using a hybrid encryption system (AES-256 and RSA-2048).
- Persistence is ensured through methods like scheduled tasks and modifications to system registries.
- Organizations are advised to implement EDR/XDR solutions, MFA, and regular patch management for mitigation.
- CISA provides resources and best practices for unveiling and responding to ransomware threats.
MITRE Techniques :
- Initial Access: Exploit Public-Facing Application (T1190) – Ghost actors exploit vulnerabilities in public-facing systems for access.
- Execution: Windows Management Instrumentation (T1047) – Utilizing WMI to run scripts across devices.
- Execution: PowerShell (T1059.001) – PowerShell is used for deployment operations.
- Execution: Windows Command Shell (T1059.003) – Malicious content is downloaded through Command Shell.
- Persistence: Account Manipulation (T1098) – Changing passwords and modifying user accounts for persistence.
- Privilege Escalation: Exploitation for Privilege Escalation (T1068) – Tools to exploit vulnerabilities for elevated privileges.
- Defense Evasion: Application Layer Protocol (T1071.001) – HTTP/HTTPS used for command and control operations.
- Credential Access: OS Credential Dumping (T1003) – Using tools to collect passwords and hashes.
- Discovery: Remote System Discovery (T1018) – Identifying remote systems for further exploitation.
- Impact: Data Encrypted for Impact (T1486) – Encrypting files using ransomware variants.
Indicator of Compromise :
- [MD5] Cring.exe c5d712f82d5d37bb284acd4468ab3533
- [MD5] Ghost.exe 34b3009590ec2d361f07cac320671410
- [MD5] ElysiumO.exe 29e44e8994197bdb0c2be6fc5dfc15c2
- [MD5] Locker.exe ef6a213f59f3fbee2894bd6734bbaed2
- [GitHub] IOX github[.]com/EddieIvan01/iox – An open-source proxy used in attacks.
Full Story: https://socradar.io/dark-web-profile-ghost-cring-ransomware/